Facebook Data Use Policy email sparks security fear amongst some users

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Has Facebook sent you an email about its data use policy?

Don't feel too special - they sent it to an awful lot of people.

Here's what you probably received, in an email entitled "Updates to Data Use Policy and Statement of Rights and Responsibilities":

In case you're still unsure - that is genuinely an email from Facebook.

Yes, Facebook has just given its one billion (and counting..) users seven days to comment on a change it is making to its data use policies.

That's correct. You've only got until November 28th if you wish to respond. I'm sure that the fact Facebook has chosen to do this across a major US holiday is purely an unfortunate coincidence rather than a deliberate timing decision.

One of the company's planned changes is to change the way it handles future changes to its data use policy (which explains how the site collects and uses data about you). Facebook says it wants to ditch user voting in favour of requesting feedback in the form of comments from users.

Additionally, as The Telegraph explains, the proposed new data use policy would allow Facebook to use data from "from our affiliates or our advertising partners.. to tell us information about you" and "improve the quality of ads."

In all likelihood, this is part of Facebook's plan to build up a more precise picture of its many users, targeting advertisements better, and using data not only from its own site but recently acquired companies such as Instagram.

Some people are so used to being bombarded with bogus and malicious emails claiming to come from the likes of Facebook, LinkedIn and Twitter that they don't believe the legitimate communications they receive any more.

It's unfortunate that this latest legitimate email from Facebook, which is being sent to over a billion email accounts around the globe, has caught some social networking users off-guard.

In fact, Naked Security has received queries from readers who are worried that the email could be a phishing attack, or an attempt to infect their computers with malware.

Take this example from "Laura" (we've obscured some details to protect her identity):

Not sure what I'm reporting but myself and loads of others on FB have received emails from FB about "Data use policy"
I never opened mine but deleted it.
Is it a scam or a virus?
Have you received other complaints about it?
I see below you want URL etc, but a bit nervous to open the link to copy for you

Laura, although it would be perfectly possible for a malicious hacker to spam out a message pretending to be from Facebook, and they could even ape its wording, look-and-feel etc, I suspect that you've received the real thing.

Maybe if Facebook wants more users to respond and feedback regarding the changes to its data use policy it should display a message as users log into the site. That would, at the very least, go some way to reassure them that the emails are legitimate.

And, of course, it may encourage more feedback from users regarding the changes. As I imagine that's what Facebook wants, right?

Follow @gcluley

View the original article here

Blackhole exploit kit confusion. Custom builds or copycats?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The past couple of weeks have been interesting times for anyone following the malicious Blackhole exploit kit that continues to dominate the charts.

Don't get me wrong, we expect changes and updates - the individuals behind the kit work tirelessly to try and evade security products. However, some of the recent changes are a little confusing to say the least!

One of the key aspects of the Blackhole exploit kit that we identified in previous research was the organised and coordinated nature of the kit. For example, as soon as a new obfuscation method was added, we would quickly see it in use, across the majority of exploit sites being tracked.

The release, in September 2012, of Blackhole exploit kit version 2 introduced several changes, but the coordinated 'rollout' of minor tweaks and modifications continued.

And so to recent developments that we have been observing. Firstly, let's start off with a quick recap of what we are seeing:

So what is going on? Why this sudden burst of diversity from Blackhole?

Or is this a new kit? Are some of these recent Blackhole changes actually not Blackhole at all, but some other kit?

As I have been putting together this post, I see that our colleagues at F-Secure are asking a similar question.

Several factors point to this being Blackhole (or at least very closely related - same codebase, potentially same authors).

obvious similarities in the function names, filenames, structure etc of the exploit siteincoming user traffic is using the same malicious script injections (Mal/Iframe-W redirects injected into legitimate web sites)URL structure used in the kit is consistent with Blackhole v2

Personally I suspect these new 'flavours' of Blackhole are from the same group. However, there is one nagging doubt I have:

some of the new features could be considered retrograde steps for Blackhole. Why would they revert to using predictable content within the URLs?

Whatever the case, we will continue to monitor these attacks closely, ensuring our reputation filtering and content detection technologies protect customers, regardless of the group behind them!

Landing page detections: Mal/ExpJS-N, Mal/ExpJS-AN, Mal/ExpJS-AVFlash content detections: Troj/SWFExp-AI, Troj/SWFExp-BEPDF detections: Troj/PDFJS-AAS, Troj/PDFEx-GXJava detections: Mal/JavaGen-A, Mal/JavaGen-C, Mal/JavaGen-EFollow @SophosLabs

Thanks to Gabor and Ferenc in Sophos's Budapest lab for their assistance in putting together the content for this article.

Black hole image from Shutterstock.

View the original article here

NASA suffers major data breach over stolen laptop that wasn't encrypted

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

In March 2011, algorithms used to command and control the International Space Station were exposed.

In March 2012, it was the personally identifiable information (PII) of 2,300 employees and students.

In another incident, it was sensitive data on NASA's Constellation and Orion programs.

This time around, on 31 October, it was PII on an unspecified, but large, number of NASA employees and contractors.

All these instances involved the theft of unencrypted laptops from NASA. With this most recent theft, the space agency is finally doing something about these incidents, beyond the limited scope of its previous remediation efforts.

NASA announced on Tuesday that, effective immediately, the agency is jumping on the encryption fast track.

By 21 December, no NASA-issued laptops containing sensitive information will be allowed to leave a NASA facility unless whole disk encryption software is enabled or sensitive files are individually encrypted.

In a message sent agency-wide to all employees, Associate Deputy Administrator Richard J Keegan Jr. informed NASA staff that somebody or somebodies broke into a locked vehicle and stole official NASA documents on 31 October.

The laptop contained records with PII for a large number of employees, contractors and others, Keegan said.

He gave no explanation as to why the agency waited weeks to inform employees.

The computer was protected only with a password and lacked whole disk encryption, which left the information accessible to thieves.

NASA is taking standard breach precautions, including contracting a data breach specialist, ID Experts, to notify those whose PII was compromised.

The agency is offering free credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, access to fraud resolution representatives, and a call center and website.

It's recommending that anybody affected activate these services ASAP.

NASA is also recommending that those affected be wary of suspicious phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it.

NASA and ID Experts won't be contacting employees to ask for or to confirm personal information, Keegan said, so any such communication is sure to be bogus.

NASA's embrace of full-disk encryption has up until now been less than comprehensive.

After the March 2012 stolen laptop and PII exposure, the agency pledged:

...a full review of current IT security policies and practices with the goal of making changes to prevent a similar incident.

At that time, NASA promised that all laptop computers at NASA Kennedy Space Center, not just ones with PII or sensitive data, would have their hard drives encrypted by September 2012.

In retrospect, it would have been smarter to extend that initiative to all hard drives, throughout the entire agency, not just those at Kennedy.

But that is, apparently, a lesson that NASA has now taken to heart and will implement with all due haste.

The new full-disk encryption applies to all laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data.

Keegan said that NASA's Administrator and CIO have laid out the marching orders for agency CIOs to complete whole disk encryption of the maximum possible number of laptops by 21 November.

NASA plans to complete the effort by 21 December, after which no unencrypted laptop, regardless of whether it contains PII, will be allowed to leave its facilities.

In the meantime, employees working remotely or traveling have been told to use loaner laptops if their NASA-issued laptop contains unencrypted sensitive information.

On Wednesday, a security vendor (or then again, more likely, many security vendors, but only one wrote to me directly) sent out a statement on the NASA breach that said,

"OK, whole-disk encryption might be good, but is it good enough?"

It's a question worth asking. As he said, data is in fact moving to and from laptops, in emails, files, and as data traveling to and from apps and servers.

Fortunately, NASA has also declared that storage of sensitive information on smart phones or other mobile devices is now taboo.

Let's hope they also have an eye toward all the places that data propagates, whether it's in emailed attachments, on mail servers that might be in the cloud, on smartphone mail apps, on backup tapes, or in any internal or outsourced operations.

Follow @LisaVaas
Follow @NakedSecurity

NASA image, courtesy of Songquan Deng / Shutterstock.com. Secure laptop and rocket images courtesy of Shutterstock

View the original article here

Microsoft pushes IE 9 tweak via Windows Update to close three critical security holes

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Microsoft has reminded Internet Explorer users of the importance of keeping their browser updated against security threats.

Microsoft said on Thursday that it had pushed an update to its Internet Explorer Version 9 web browser through its Windows Update feature earlier in the week in an effort to quickly close three, critical security holes.

If unpatched and exploited by cybercriminals, the vulnerabilities could allow an attacker to use a webpage to install and run malicious code on vulnerable systems.

The company announced the release of IE Version 9.0.11 via Windows Update in a blog post, and advised users of IE 9 to apply it immediately.

The update fixes security holes associated with the recently released MS12-071 Security Bulletin.

The vulnerabilities affected the IE 9 browser running on every supported version of Windows. However, earlier versions of Internet Explorer were not affected, nor was IE 10, the latest version of Microsoft's popular web browser.

Microsoft has described the security vulnerabilities as caused by a flaw in the way that IE 9 accesses an object that has been deleted or not correctly initialized. It affects three Internet Explorer components, named CFormElement, CTreePos and CTreeNode.

Attackers could exploit the so-called "use after free" vulnerabilities using a variety of techniques: websites, malicious ActiveX controls embedded in an application or Office document or malicious advertisements displayed on legitimate sites.

Attacks would still require users to click on the malicious content, and the attackers would be limited by the victim's permission levels on his or her own machine.

As we noted in our coverage of the November Patch Tuesday release, "use after free" bugs happen when software gives back memory to the operating system in order to free up resources it no longer needs, but then carries on using that memory anyway.

The update closes the security holes. Microsoft said that most IE9 users will get the upgrade automatically using Microsoft's Automatic Update feature. (A description of how to configure automatic updates can be found in a Microsoft knowledgebase article.)

Those who haven't enabled the Auto Update feature were advised to use the Microsoft Update service to download and install it.

The IE 9 update was released on Tuesday, one of six security bulletins released with Microsoft's monthly security patch release.

Follow @PaulFRoberts
Follow @NakedSecurity

View the original article here

FreeBSD shutters some servers after SSH key breach

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Venerable BSD-based operating system FreeBSD has announced a smallish system compromise.

The FreeBSD administrators took a bunch of servers offline to investigate, and published a blow-by-blow account of what they know about the breach so far.

FreeBSD isn't the first open source operating system to suffer an intrusion on its core servers.

The Linux developers famously suffered both a malware attack and a server compromise last year that saw kernel.org vanish offline for over a month.

In this case, however, the FreeBSD crew and their users don't seem to have suffered too badly.

None of the so-called base repositories were touched - that's where core components such as the kernel, system libraries, compiler, core command-line tools and daemons (server software) reside. Only servers hosting source code for third-party packages were affected.

Fortunately, the investigation so far hasn't turned up any software packages that were Trojanised by the intruders. So the knock-on effect of the break-in will probably turn out to be minimal.

The official reason is given as a likely compromise of a developer's SSH key.

SSH, or secure shell, is the predominant remote-access protocol for non-Windows systems.

It supports a range of authentication schemes; on many systems, administrators do away with across-the-wire usernames and passwords, and opt instead for authentication based on public/private key pairs.

The idea is that I generate a key pair and send you my public key.

After verifying carefully that it really is my key, e.g. with a phone call, you upload my public key to your server. My SSH client can then use my private key to log me in; your server uses the corresponding public key to verify my identity.

Since my private key is itself protected by a password (or ought to be), we continue to enjoy the benefits of password-based security - plus the advantage that knowing my password alone is not enough for an attacker. He needs a physical copy of my private key file, too.

In this case, it sounds as though the attacker did manage to steal both authentication factors - key file and password - from the developer.

This is a hearty reminder that a chain is only as strong as its weakest link.

In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access - whether those are servers, laptops or even mobile devices.

Follow @duckblog

View the original article here

TNS24 - a fake courier company website, used by online scammers

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Beware of attractive strangers contacting you on Facebook, and requesting that you help finance a shipment of goods in your name.. you might find yourself out of pocket, with little chance of redress.

A Naked Security reader contacted us recently, worried that they had become the victim of an internet fraud after they were chatted up by a glamorous-looking woman on Facebook.

According to our correspondent:

"She connected with me on Facebook. Her name is [REDACTED], and she is very attractive. She gave me a story and I fell for it, and I sent her £250 through Western Union. She said she had no cards (lies) having my details she sent me papers for a consignment in my name. [REDACTED], the manager of the TNS24 shipping company phoned me after a few days to track the goods from Turkey to a UK port..."

"All she was concerned about was the consignment, then I was required to pay for the warehouse and insurance purposes £2500 which I did to a personal account through Western Union again, the addresses are all wrong, her Facebook account is an empty shell, I know my money is gone.."

We were curious to find out more, and our eyebrows raised when we visited the TNS24 website at tns24.com.

Can you see anything odd?

No? Take a closer look.

First of all, there's that photograph of one of the airplanes belonging to the "global courier service".

Not got it yet? Let's take a look at this photograph of one of their staff, carrying a package.

Just to be clear - I haven't added the TNS24 logo to these images. TNS24 want you to believe that their planes and packages really look like this.

Here's one of their lorries:

By their (low) standards of Photoshoppery, the lorry's livery is quite good. But still unconvincing.

Most amusingly of all, however, is one of TNS24's alleged ships:

Yes, they really have cut-and-paste the unconvincing TNS24 logo *backwards* onto the side of a boat.

Umm.. guys.. wouldn't it have been easier to mirror-flipped the image of the boat before trying to stick your pixellated logo onto it?

(Thanks to Naked Security reader @tug who has identified the ship as the "Aquiline", and found the original image which does not have the distinctive TNS24 branding.)

The TNS24 website publishes testimonies from happy, smiling customers - but our suspicion is that these are just as bogus as the photographs used to describe TNS24's staff and vehicles.

If you know where these photos of happy smiling customers come from, please let us know by leaving a comment below. (Of course, if you *are* a happy customer of the TNS24 website, we would love to hear about that too).

And when we tried to contact TNS24 by telephone, using the number they list on their website, all we got was an unobtainable message.

If you needed any more reason to be wary of using TNS24's services (especially if a stranger on Facebook has tried to trick you into believing that you're safe to wire them money via Western Union in order to have TNS24 deliver something) then ask yourself this:

"TNS24's website claims that the firm is headquartered in the UK - specifically in Chatteris, Cambridgeshire. So what does the domain registration for its TNS24.com website say?"

Surprisingly, it's registered at a Nigerian address:

Domain Name: TNS24.COM

Registrant:
Xtrim Technologies
Iheanyi Orji (webmaster@techtrendsng.com)
2 ago palace way
okota
lagos,23401
NG
Tel. +234.08085785120

Mr Orji may have nothing at all to do with TNS24, of course. But it's certainly odd that a UK firm that uses the slogan the "courier company you can trust" would have its website registered to an address in Lagos.

Take care folks. And look out for Photoshop disasters by scammers and fraudsters.

Follow @gcluley

View the original article here

Monday review - the hot 22 stories of the week

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Adobe, Adobe Flash, Android, Apple, Data loss, Denial of Service, Facebook, Google, Law & order, Malware, Microsoft, OS X, Privacy, Social networks, Technologies, Twitter, Windows

Tags: Acai Berry, Adobe, Albania Pirate Group, Android, award, BlackHole, DDoS, Facebook, Facebook Black, ftc, hack, IE 9, ios, linkedin. freebsh, monday review, NASA, OS X, papa johns, Patch Tuesday, Petraeus, review, skype, SMS, SQL Injection, ssh, Tibet, TNS24, Trojan, VB100, Windows Phone 8

View the original article here

Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

In April 2011, Naked Security wrote an open letter to Facebook about security and privacy.

Eighteen months later, it looks like he have some reason to celebrate - as Facebook appears to be saying "yes" to one of the three steps we asked them to take to better protect its users.

Way back in January 2011, Facebook announced it was implementing HTTPS to allow its many millions of users the ability to automatically encrypt their communications with the social network - preventing hackers and attackers from sniffing your sensitive data while using unencrypted wifi hotspots.

However, Facebook made this enhancement to security "opt-in" only. Which meant that most people never turned it on.

In Naked Security's open letter, we asked that Facebook did a better job with HTTPS.

As we wrote to them at the time:

"We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers."

A posting last week on Facebook's developer blog, quietly announced that the site was finally going to be following our suggestion:

In the blog post, Facebook said that it was finally starting to rollout HTTPS to its North American users, with the rest of the world following "soon".

We want to say this really clearly and loudly, so we'll use a big font:

Sure, we might have liked it if Facebook had enabled HTTPS by default more quickly, but it would be churlish to grumble now they're doing it.

If you can't wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself. Log into your Facebook account and navigate to Account settings / Security where you should be able to enable "Secure Browsing".

Of course, Facebook's roll out of HTTPS leaves us with a problem. We have a large pile of "Dislike" t-shirts that explain the three steps we'd like to see Facebook implement to improve privacy and security.

Clearly, with the roll out of HTTPS, one of those now needs to be crossed out.

So, we need to get rid of our T-shirts. We've decided the fairest thing to do would be to offer them to loyal subscribers to our email newsletter. Every month, until our stocks run out, we're going to give away 10 of these limited edition T-shirts to randomly selected newsletter subscribers.

If you're not already a subscriber to our newsletter, you can sign up here.

T-SHIRT GIVEAWAY TERMS & CONDITIONS: You need to be signed-up for our email newsletter at the time that we randomly select winners. If you've previously won a t-shirt from us in the giveaway, you can't win again. If you're a Sophos employee, tough luck - you can't win. If you're a Facebook employee, sure - feel free to subscribe and you might win a t-shirt, but we're not going to give you special treatment.

If you win, you will be contacted via email (naturally) to ask for your snail-mail address, so we can send you the shirt. It's kinda tricky otherwise. We'll do our best to give you a t-shirt in the size you want, but - hey - our stock is limited, so don't be too peeved if you get a baggy one. Your email address is only used for sending you the newsletter (you can unsubscribe at any time) and for asking you where we should send the t-shirt. No spam, we promise. We're nice guys.

Make sure that you keep informed about the latest security and privacy issues affecting Facebook users. Join the Sophos page on Facebook, where over 190,000 people regularly share information on threats and discuss the latest security news.

Follow @gcluley

View the original article here

LinkedIn spam drives traffic to Toronto Drug Store

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

At first glance it may look like an official email from LinkedIn, the professional business networking site, asking you to confirm your email address.

But it's not.

Because the emails don't really come from LinkedIn, and clicking on the link does not take you to the LinkedIn website.

Instead your browser is redirected to a website announcing that it is the "Toronto Drug Store", where a square-jawed trustworthy doctor-type is accompanied by a cut-price Anne Hathaway lookalike.

The online store claims it will be able to help you with erectile disfunction, and even offers a Thanksgiving sale in the form of a Cialis+Viagra "powerpack". (A steal at $74.95).

Of course, the link embedded inside the email could just have easily taken your browser to a website hosting malicious code, or a phishing page designed to steal your LinkedIn credentials.

The gang behind this spam campaign are banking on just a tiny proportion of the email recipients being tempted to buy something from the Toronto Drug Store website. If that occurs, despite the recipients initially believing they had received an email from LinkedIn, it will be worth the effort of the spammers because of the commission they can earn.

Yes, it's hard to believe that such a business model really works - but the cost of sending spam to millions of people is so small, and requires such little effort, that it still goes on.

My advice to you is to invest in a decent security solution that protects you not only against spam and malware that arrives in your email, but also checks the websites you are visiting in case they are dodgy too.

And remember to never buy goods sold via spam. If you do, you're just encouraging the spam problem to continue.

If you receive an email out of the blue from a brand that you trust, think twice before blindly clicking on the link - it may not be taking you to the real website at all.

Follow @gcluley

View the original article here

Acai Berry scammers $2 million lighter after FTC settlement

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The affiliate ad network behind a tidal wave of bogus pitches for Acai Berry weight loss products and colon cleansers has agreed to pay a $2 million penalty to the US Federal Trade Commission (FTC) for deceptive advertising.

The FTC announced the judgement on Wednesday against Clickbooth Affiliate Network of Sarasota, Florida and said the funds recovered from Clickbooth would be used to provide refunds to consumers who were taken in by the company's deceptive marketing practices.

The complaint charges Clickbooth with a variety of deceptive advertising practices to promote products with names like "Acai Pure," "Acai Max," "Pure Berry Max" and "Acai Advanced Cleanse."

Among other things, Clickbooth is alleged to have worked hand-in-glove with its affiliate marketers: helping design ads, tweak product claims and even design web sites on which the ads would appear.

Many of those sites were designed to look like news sites, with ads posing as news stories with titles like "Acai Berry Diet Exposed: Miracle Diet or Scam?" (Spoiler alert: it's a scam.) Those sites often contained the names and logos of broadcast and cable TV networks and made it seem as if the fake stories originated from those networks.

Consumers were given false promises about the effectiveness of the Acai Berry treatments and the sites failed to disclose that consumers who signed up for a "free trial" of the Acai Berry treatments were actually billed on a recurring basis for additional shipments of the product, the FTC said.

The FTC named John Daniel Lemp, the chief executive of Clickbooth.com, LLC, as well as IntegraClick LLC, and said that he and the companies he controlled were responsible for the false claims made by affiliate marketers.

Acai Berry treatments were a popular topic of spam email, tweets and social media posts. They were also linked to a number of malicious incidents, including account hijacking.

On numerous occasions, spammers compromised Twitter accounts, including the accounts of Hyatt and NHS Direct, and used them to spread fake testimonials lauding the benefits of the Acai Berry weight loss treatment.

The FTC responded with a string of cases against both the companies pushing Acai Berry treatments and the affiliate marketers they used. In September, for example, the FTC charged affiliate networks IMM Interactive and Coleadium with making deceptive claims and ordered them to pay $ 1million to settle charges and agree to monitor affiliates in their network to make sure that they comply with federal truth in advertising laws.

Follow @paulfroberts
Follow @NakedSecurity

Acai berry capsules, courtesy of Shutterstock

View the original article here

Fake Apple apps appear on Android Google Play store

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

If Apple were to start making Android versions of some of its most popular products that would be pretty big news, right?

So it's no wonder that eyebrows raised when a commenter on Reddit discovered what appeared to be a host of apps created by "Apple Inc" in the Google Play store.

Versions of Garage Band, iPhoto, iMovie, Keynote, Numbers and Pages were listed on the official Google Play store, all claiming to have been developed by Apple Inc and giving a contact email address of android@apple.com.

The bogus Apple apps, which were listed for sale at prices between $4.98 and $9.97, have now been removed from the Android marketplace.

What isn't clear is whether this was a scam to simply pilfer money from unsuspecting Android users hoping to get some Apple-created apps on their devices, or whether it was a more sinister attempt to infect Android phones with malware.

Regardless of the motive, it's clear that once again the Android Google Play store has been found falling short in protecting its users, failing to preventing bogus apps from clearly unverified developers from being distributed via official channels.

Follow @gcluley

View the original article here

Sophos awarded VB100 in Windows Server 2003 R2 comparative anti-virus test

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The latest edition of Virus Bulletin magazine includes a comparative test of 36 different anti-virus products, exploring their ability to reliably detect malware on the Windows Server 2003 R2 platform.

Just as with the tests that Virus Bulletin conducts on other operating system platforms, the VB100 title is only awarded if a product is capable of detecting all in-the-wild viruses in both on-demand and on-access modes without suffering from any false positives.

Sophos performed well in the tests, outperforming a number of competing firms, and was awarded the VB100 title by detecting 100% of the viruses in Virus Bulletin's "in-the-wild" collection and not having any false alarms.

Virus Bulletin's Technical Consultant & Test Team Director John Hawes praised Sophos's stability, and highlighted our consecutive awards:

“Sophos put in a very strong performance in our latest comparative, easily earning VB100 certification and achieving good scores in all our measures. Stability was particularly impressive, with no problems encountered at all even in heavy stress tests - this earns Sophos our highest possible rating of ‘Solid’ for a second consecutive test, one of only two products to achieve this feat.”

More information about this latest test can be found in the October 2012 edition of Virus Bulletin magazine, that has just been published.

Don't forget that you can see Sophos's long track record in independent comparative tests on Sophos's reviews page.

View the original article here

Facebook shuts down Albania Pirate Group, after stolen passwords shared

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It's easy to understand how hacking groups, involved in undercover cybercrime, might want to keep their activities hidden from the-powers-that-be and law enforcement agencies, and conduct their crimes in secrecy.

Which makes it all the more surprising when you stumble across a group apparently engaged in stealing and sharing login passwords for third party systems, doing so not just on a public-facing website, but on a page hosted by the world's biggest social network.

A reader of Naked Security, who works at a Yorkshire-based security company, contacted us last week to tell us about a particular Facebook page they had stumbled across belonging to the Albania Pirate Group.

On its Facebook page, 600+ fans and members of the Albania Pirate Group were sharing RDP (Windows Remote Desktop) logins, giving hackers unauthorised access to computer systems, and what appeared to be compromised banking details.

The potentially sensitive information was free for anyone to view, even if you hadn't "Liked" the page.

Curiously, the Albania Pirate Group has a similar logo to the Kosova Hacker's Group, who breached servers belonging to the US National Weather Service last month.

Sophos contacted Facebook, and within the hour the social network's security team had closed down the page.

Remember that pages and groups on Facebook are not pre-vetted, and anyone can create a page with ease and use it for illegal purposes. If you stumble across a Facebook page that you believe is involved in law-breaking or breaches the terms and conditions of the site, you should report it to Facebook.

Our thanks go to the Facebook security team for shutting down the page so promptly.

Stay informed about the latest security and privacy issues related to Facebook. Join the Naked Security page on Facebook, where over 190,000 people regularly share information on threats and discuss the latest security news.

Follow @gcluley

View the original article here

Skype users warned of serious security problem - accounts can be hijacked with ease

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A serious security problem has been uncovered in Skype, which allows hackers to hijack accounts just by knowing users' email addresses.

The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their "victims" to lock them out.

According to The Next Web:

"The reason this works is simple, but it's still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The issue was reportedly documented on Russian forums months ago, and appears to have been easy to exploit.

Skype has responded to the reports by temporarily disabling password resets for Skype accounts, and published a brief advisory to users:

"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority"

Before Skype withdrew the ability for users to reset their passwords, the only protection for users was to change the email address connected with their Skype account to one which was not known by anybody else.

Microsoft-owned Skype has made the headlines for security reasons in the past. For instance, earlier this year it was accused of being slow to fix a flaw that could allow the gathering of information from Skype users, including a victim's city, country, internet provider and IP address.

Follow @gcluley

View the original article here

New variant of Mac Trojan discovered, targeting Tibet

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It's true to say that there's a lot lot less malware in existence for Macs than there is for Windows PCs. But that doesn't mean that it doesn't exist at all.

And clinging onto the statistics of the much smaller proportion of Mac malware compared to Windows malware is going to be cold comfort if your Apple Mac is the one which ends up getting infected.

The latest Mac malware seen by the experts at SophosLabs, is a new variant of the OSX/Imuler Trojan horse. In the past, earlier variants of the OSX/Imuler malware has been spread via topless photos of a Russian supermodel or embedded deep inside boobytrapped PDF files.

This time, it appears that the a version of the Imuler Trojan has been used in an targeted attack against sympathisers of the Dalai Lama and the Tibetan government, as the malware appears to have been packaged with images of Tibetan organisations.

If your Mac was successfully infected by malware like this, you have effectively given remote control of your computer and your data to an invisible and unknown party. They could steal files from your Mac, spy on your emails, and plant further malware onto your systems.

(It will be left as an exercise to the reader to come up with a shortlist of who might have an interest in breaking into the computers of Tibetan organisations).

Customers of Sophos, including users of Sophos's free anti-virus for Mac, are protected against the malware which has been detected as a variant of the OSX/Imuler-B backdoor Trojan since the early hours of 11th November 2012.

Users of other Mac anti-virus products may be wise to check with their vendors if they are protected.

This new malware variant may not be widespread - but it is another indication that the malware threat on Macs is real, and should not be underestimated.

Follow @gcluley

View the original article here

DDoS marketing stunt backfires, entrepreneur jailed for nine months

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The owner of a web host tried to promote his anti-DDoS kit and highlight vulnerabilities by launching two brief DDoS (distributed denial of service) attacks against the Hong Kong stock exchange, but he instead wound up convicted and sentenced to nine months in jail.

According to the South China Morning Post, 28-year-old Tse Man-lai, owner of local web hoster Pacswitch Globe Telecom, in October was found guilty of "highly reckless" cyberattacks on the Hong Kong Exchanges and Clearing (HKEx) news site on two days in August last year.

He was sentenced on Friday.

Judge Kim Longley cited seven companies with a combined value of HK$1.5 trillion that were forced to suspend trading because of the attacks, including HSBC and Cathay Pacific Airways.

Tse claimed that he accessed the HKEx site in two brief spurts, the first lasting 390 seconds and the second lasting only 70 seconds.

In his defence, Tse said he was only on long enough to take photos and video footage documenting his attacks - a premise that the judge accepted.

Tse had sought to demonstrate that the exchange's news site was still vulnerable after having endured two other DDoS attacks from hundreds of computers outside of Hong Kong.

He claims to have invented a technique to prevent such attacks and planned to use the screen images and video of his attacks to market his defence method.

The South China Morning Post noted that a former lawmaker for the technology industry spoke up for Tse, saying that his work had "advanced IT" in Hong Kong.

Senior Inspector Raymond Cao Wai-ki, of the Commercial Crime Bureau technology crime division, told the Post that Tse's hacking didn't damage the site, but that the prison term would send a clear message that the Internet is "not a lawless territory".

Is Tse's sentence fair? Wasn't he acting as an ethical hacker, out to poke the stock exchange in the ribs? Didn't the stock exchange need that poke, given that it was still vulnerable after suffering a DDoS?

Yes, HKEx did need a wake-up call, but when it comes to ethical hacking, the devil's in the details.

The details here include the fact that Tse didn't receive authorisation to test the stock exchange's defences.

On the subject of liability for ethical hacking, Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com, told Info Security Magazine a few years ago that, at least in England, the lack of authorisation could have netted Tse up to two years in prison or up to 10 years if he had modified data during the course of his marauding:

"Broadly speaking, if the access to a system is authorised, the hacking is ethical and legal. If it isn't, there's an offence under the Computer Misuse Act. The unauthorised access offence covers everything from guessing the password, to accessing someone's webmail account, to cracking the security of a bank... There's no defence in our hacking laws that your behavior is for the greater good. Even if it's what you believe."

Tse should have brought the security threat to HKEx's attention.

Clever marketing stunts deserve to be applauded, but not when they amount to sticking your foot out and causing others to stumble.

Follow @LisaVaas
Follow @NakedSecurity

Hong Kong skyline image from Shutterstock.

View the original article here

Papa John's pizza chain accused of SMS cheesiness, faces $250M class action

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

US pizza chain Papa John's is in the firing line of a Seattle, Washington, law firm.

Heyrich Kalish McGuigan, PLLC specialises in litigation against SMS spammers, robocallers and telemarketers.

And the lawsuit they're bringing against Papa John's certainly sounds dramatic. The lawyers say:

"[This] could be one of the largest damages awards ever recovered under the federal Telephone Consumer Protection Act. The class action lawsuit contends that 500,000 illegal text messages were sent to Papa John’s customers across the country. Papa John’s customers could be awarded $500 or more in statutory damages for each text message."

An issue seems to be the issue of consent to receive SMS messages. According to court documents:

"OnTime4U [a co-defendant that sent out 'special offer' SMSes on behalf of Papa John's franchise holders] apparently told Papa John's franchisees that it was legal to send texts without express customer consent because there was an existing business relationship between the customers and the Papa John's restaurants."

But the litigators argue that:

"Complaints from ... customers state that they ... received text message advertisements without having given their prior consent to Papa John's or one of the franchisees."

Tricky stuff.

The court has affirmed that the class action can go ahead on behalf of complainants from all over the USA. Even if you received only a single SMS, you're eligible to join in.

Each SMS you received could, if the class action lawyers are to be believed, represent $500 in cash - enough at current prices to order in 1250 Papa's Chicken Poppers, 658 Spicy Buffalo Wings, or a gutbusting 23.5 metres of Cheesestick (20.3 metres of the six-cheese variety).

While you're chomping on your Cheesesticks (which are delivered in handy lengths of approximately 300mm, by the way), here's an interesting irony on the issue of inferred consent for electronic communications.

Heyrich Kalish McGuigan's own privacy policy in respect of email advises that:

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

What do you think?

Should emails and SMSes to existing customers or contacts be treated differently? In a world of mobile devices on which telephony and internet access are just two sides of the same coin, does this make sense?

Is it OK to have an opt-out policy for your own email-based marketing but to expect others to abide by a strict opt-in policy for SMS-based offers?

Let us know by leaving a comment below...

Follow @duckblog

View the original article here

Windows Phone 8 malware? This teen hacker claims to have created a prototype

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A teenage hacker prodigy in India claims to have developed a prototype of malware that will run on smartphones running Microsoft's new Windows Phone 8 operating system - the first known instance of Windows Phone 8 malware.

The researcher responsible for the prototype, Shantanu Gawde, is known as India's "youngest ethical hacker". He says he will unveil the malware prototype at the Malcon security conference in New Delhi, India, later this month.

Gawde's presentation will "demonstrate approaches and techniques for infecting... Windows Phone" including "how to steal contacts, upload pictures and steal private data of users, gain access to text messages etc."

However, little is known about the malware. For example, whether it relies on an exploit of an underlying vulnerability in Windows Phone 8 or masquerades as a malicious mobile application.

Dave Forstrum, director at Trustworthy Computing, Microsoft, commented:

"Microsoft is aware of the upcoming presentation but further details have not been shared with us. As always, we will investigate any issues disclosed in the talk, and will take appropriate action to help protect our customers."

At 16, Gawde is the world's youngest Microsoft Certified Application Developer (MCAD), having earned that designation at the age of just seven. In 2011, he presented a malware application that used Microsoft's Kinect gesture recognition technology at the same conference.

The Windows Phone 8 mobile operating system was released on October 29. It marks a major re-make of the Windows Phone 7 OS and includes higher screen resolution and support for multi-core processors, as well as Near Field Communications (NFC), a wireless technology that is integral to evolving mobile payments solutions.

The new OS also boasts some additional security features, including secure boot and native 128-bit Bitlocker encryption.

Microsoft also claims that the apps available in its mobile application store are "certified" - and vetted for malicious code and other security issues.

Follow @paulfroberts
Follow @NakedSecurity

View the original article here

Microsoft Patch Tuesday - there's even a patch for your Mac!

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We've just published our latest analysis and threat-level assessments of this month's Microsoft Patch Tuesday updates.

Here are the results in super-abbreviated form:

(RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside.)

Advice follows on the what, why and where of the patches rated High and Medium by SophosLabs.

MS12-071 - Cumulative Security Update for Internet Explorer

Three so-called "use after free" vulnerabilities are patched here, all for Internet Explorer 9.

Other versions of Internet Explorer (ironically including the one you should long have left behind, Internet Explorer 6) are OK, including Internet Explorer 10. So newly-configured Windows 8 and Windows Server 2012 computers, which come with Internet Explorer 10, don't need this fix.

Also, since Internet Explorer isn't part of Server Core installs - Microsoft's lower-attack-surface-area flavours of Windows Server - those systems are immune.

A "use after free" bug happens when software gives back memory to the operating system in order to free up resources it no longer needs, but then carries on using that memory anyway.

Since someone else might innocently have altered the contents of that memory in the interim, a "use after free" is pretty much guaranteed to end in tears.

If those interim memory modifications are deliberately crafted by an attacker, the outcome is even worse: a remote code execution exploit.

MS12-072 - Vulnerabilities in Windows Shell

Here, a malevolently-created Windows Briefcase (one of Microsoft's file synchronisation tools) could give an attacker remote control of your computer.

As in the case of MS12-071, Server Core installs aren't affected. All other platforms are at risk and need patching, from XP to Windows 8, and from Server 2003 to Server 2012.

MS12-074 - Vulnerabilities in .NET Framework

Five separate vulnerabilities were patched here, including one that can be exploited for RCE through a dodgy proxy configuration file.

All platforms, from XP to Windows 8, and from Server 2003 to Server 2012, are at risk - including Server Core installs of 2008 and 2012.

MS12-075 - Vulnerabilities in Windows Kernel-Mode Drivers

Three separate kernel vulnerabilities were fixed, including one involving the processing of fonts (TrueType Fonts, or TTF files).

Because fonts can, and often are, embedded into web pages so they render precisely as the page designer wanted, this means that just visiting a web page could be enough to trigger a RCE event inside the kernel.

Again, XP to 8 and 2003 to 2012 (including Server Core installs) are vulnerable.

If you are looking for a "first amongst equals" patch to start with, I'd recommend these kernel driver fixes.

Treat the kernel as the adminstrator's administrator and take kernel-mode RCE flaws as your greatest concern.

MS12-076 - Vulnerabilities in Microsoft Excel

The Excel bug patched here applies to Office for Windows (2003, 2007 and 2010), to Office for Mac (2008, 2011), and to the standalone Excel Viewer.

Since Excel files aren't supposed to contain executable code - at least, not code that runs without clear warning to the user - they are often treated with comparative lack of concern when seen in emails or on web pages.

For what it's worth, even after you've applied this patch, I recommend a high degree of scepticism about untrusted, remotely-delivered Excel files.

Since Excel files are often about money, and budgets, and financial planning, trusting them implicitly even if they don't contain malware is a risky proposition!

Patch soon: as always, prevention is better than cure.

Follow @duckblog

View the original article here

Petraeus tripped up by trust in supposedly anonymous email account

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It turns out that a surprisingly naïve trust in the supposed anonymity of pseudonymous email accounts has triggered the downfall of the US's top spy chief.

FBI agents who were investigating what they initially thought was a cyber breach stumbled onto intimate messages on Gmail passed between David Petraeus, who on Friday abruptly resigned from his job as head of the Central Intelligence Agency, and his biographer, Paula Broadwell.

According to the New York Times, the scandal began when a Florida woman, Jill Kelley, received threatening, harassing email from an anonymous person who accused her of flirting with an unidentified man.

Kelley is a volunteer social planner for events at MacDill Air Force Base in Tampa, Florida, also home to the military's Central Command, where Petraeus served as commander from 2008 to 2010 before stepping into his role as head of the CIA.

Wired reports that the anonymous harassment was contained in between five and 10 emails that began to arrive last May and that reportedly warned Kelley to "back off" and to "stay away" from an unnamed man.

Kelley contacted a friend at the FBI, unsure of whether the threats constituted cybercrime.

Investigators took it up, eventually tracing the anonymous account that sent the threatening emails (it's not clear whether this was a Gmail or some other type of account) to a home in North Carolina that belongs to Broadwell and her husband.

As Wired points out, it's unclear exactly how investigators tracked Broadwell down, but given our knowledge of email headers, we can make some guesses.

If the threatening mail came from a Gmail account, the FBI would have had to get the IP address from Google, given that Gmail headers only include the IP address and domains of the servers that pass along the email.

But other webmail providers, such as Yahoo, include the sender's IP address in their email header metadata.

However they did it, FBI agents spent weeks piecing together the identity of the harassing emails, the Wall Street Journal reports.

To do so, they determined the locations from which the emails were sent, including not only the Broadwell home but also hotels where Ms. Broadwell was staying when some of the emails were sent.

FBI agents and federal prosecutors then used the information as probable cause to seek a warrant to monitor what other email accounts Ms. Broadwell might have used.

They learned that Broadwell and Petraeus had set up a private Gmail account to communicate, exchanging heaps of sexually explicit messages.

Eventually, in late summer, investigators determined the real identity behind Petraeus's psuedonym.

As it turns out, Petraeus didn't pass on classified documents during his relations with Broadwell. That had been a national security worry when the story first emerged.

The saga continues as details emerge, but from a security standpoint, there's a takeaway for all of us who believe that an anonymous email account shields our identities.

If you'd like to see what your own Gmail, Yahoo or other email header is telling the world about you, I found this handy guide for looking at the information of 19 different webmail clients, third-party email applications and third-party webmail clients.

The X-Originating-IP header, which you can find in headers such as Yahoo's, will tell you the IP address of the computer that sent a given email.

You can then use an IP address locator such as WhatIsMyIPAddress to find out the ISP or webhost to which an email account belongs, plus its geolocation.

That's handy when tracking spam email, if you want to track down the owner of the originating IP address of spam in order to lodge a complaint.

It's also handy to do it to yourself, to see how easily people can find information on you, even when you're tucked away behind a supposedly anonymous email account.

Remember, that invisibility cloak has plenty of holes.

Follow @LisaVaas
Follow @NakedSecurity

IP address image from Shutterstock.

Tags: affair, Broadwell, CIA, David Petraeus, email headers, gmail, Paula Broadwell, Petraeus, psuedonym, resignation, resigns, scandal, webmail

View the original article here

Just how well do Android privacy apps hide your sexy photos and secret texts?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Do you have photographs on your smartphone that you don't want others to see? If an app publisher tells you that they will keep your secrets safe would you trust them?

The best advice when it comes to privacy and photos is "don't take a photo that you don't want your teacher/boss/mum/dad to see".

But as this advice is not always heeded, the next best thing is to keep them safe from prying eyes should anyone borrow, steal or find your phone.

Encouraged by a recent article on the shortcomings of the Snapchat safe sexting app, I tried a few apps that promise to protect your privacy, but often fail to do anything of the kind. These examples are all based on tests I conducted on an Android smartphone, but many of the apps are also available for iPhone.

First I tested Secret Pictures which describes itself thus:

"Prevent your pictures from letting others know! ... Pictures vanish from Gallery and are locked behind easy-to-use PIN pad. Protect your private pictures ... Secret Pictures locks your private pictures with your PIN. Only you can see the pictures in Secret Pictures."

It sounds very much like your pictures are protected, hidden from view, secured, etc.

But all it really does is move photos to a poorly hidden directory from where the photos can be viewed and shared. All it takes is a file browser and your privacy is ruined!

Next is Photo Safe which markets itself with the slogan

"Protect Your Privacy! ... No one touches your private data without permission!"

Again, the app gives a definite impression that your hidden photos are safe from prying eyes, and again the app moves your photos out of the gallery - but this time the directory is not even hidden.

Instead the PhotoSafe app renames the file you want to hide in a weak attempt to disguise it, putting some extra characters after the file extension.

You can either rename the file or instruct the phone that the file is an image, and once again it is viewable and shareable just like any normal photo.

Next in my list was KeepSafe Vault. This app describes itself as the

"Best hide pictures & video app on Android ... Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With KeepSafe, only you can see your hidden pictures. Privacy made easy!"

I started to see a recurring theme in the promises that these apps make.

This one has similar failings as the first two apps, using a weakly hidden directory and renaming the images, again easily overcome with nothing more than a file browser.

It's not all doom and gloom though. There are some apps for hiding the pictures and text messages on your Android which live up to their promises although they all seem to come with some trade-off. You really don't get something for nothing when it comes to apps.

Take, for instance, Hide Pictures & Text Messages:

" lets you hide or encrypt almost anything on your phone including photos, videos, contacts, text messages, and other apps."

For once, when they say they encrypt the content they actually mean it. You can still browse to the directory where files are stored but any feasible attempt to open them outside of the app results in a "Load failed!" error message.

The app lets you hide its own icon too so people won't even know that you have an app for hiding stuff.

All this functionality does come at a price though.

After an initial number of free uses you have to pay in order to be able to encrypt or hide further files.

Due to the extra functionality you will also need to hand over a lot of access permissions to your phone and given that you're looking for extra security and privacy, this may be something that you have reservations about.

Another promising looking app is Private Gallery which also seems to encrypt your photos meaning they can not easily be viewed outside of the app.

This app is free but it's supported by adverts from an ad network that compromises on security by transmitting the location and identification data from your phone in the clear.

The app also requires some permissions which seem unnecessary given its purpose (for instance, the ability to dial numbers and view/edit your browser history).

Again, if you're in the market for added security and privacy then these concessions may concern you.

The last app I tried was Vaulty which also seems to live up to its promises.

Vaulty looks a little more considerate in that it asks for a more acceptable list of permissions. It also offers a decent balance of functionality in the free version with optional extras in paid-for plugins. If I had a need for a photo/text message privacy app I'd probably go for this one as it seems to ask for the least in return for the most.

Looking into the history of Vaulty highlighted a different problem though.

An automatic update from the developer borked the app for many users, rendering their encrypted files inaccessible. The fault was corrected in a rushed patch but it still demonstrates that should this happen again your protected photos and files might not always be recoverable.

Of course, this risk applies equally to any app which encrypts your data.

In summary, not all apps are created equal and two apps that appear to offer the same service might in fact give very different levels of functionality.

Sooner or later I expect we'll see an app developer being held accountable for leaked secrets. After all, they promised the unsuspecting user that they would protect those secrets.

It would be better if the descriptions of these Android apps properly reflected what each app does and does not do. At least then users can make an informed choice about how much they wish to trust the app, and whether it is sufficient for the intended purpose.

And, of course, my advice echos those who have gone before me - there is really no situation where you absolutely have to store on your phone naked photographs of yourself.

If you have a photograph or sensitive information that you don't want others to see then try to avoid putting it on a device that others are likely to use.

If you're still determined to go ahead then avoid having anything identifiable in the frame, both of yourself and in the background of the picture.

That way you can at least pretend that it's not you in the photograph when it falls into the wrong hands.

Follow @thegaryhawkins
Follow @NakedSecurity

View the original article here